Earlier this month, an Iranian web developer, Pouya Darabi has discovered a critical vulnerability in Facebook that lets anyone delete to delete any photo from the social media platform. This loophole resides in Facebook’s new Poll feature launched earlier this month which lets the users create polls that include GIF’s and images.

When Darabai was analyzing this feature, he came to know that when a poll is created by a user, a request will be sent to the Facebook servers with image ID of any photo chosen on the social media network which could be replaced by anyone. Now, when the image ID is changed in the URL, that particular image will be shown in the poll.

“Whenever a user tries to create a poll, a request containing gif URL or image id will be sent, poll_question_data[options][][associated_image_id] contains the uploaded image id,” Darabi said. “When this field value changes to any other images ID, that image will be shown in poll.”

Moreover, if the poll creator deletes the poll, it would eventually delete the original image sourced from someone else’s page permanently.

As soon as Darabi discovered the vulnerability he reported the bug to Facebook on November 3 and the social media giant has immediately responded to it and released a temporary fix for it on November 3rd followed by a permanent fix on November 5th. Later on November 8th, Facebook awarded him $10,000 bounty for preventing potential damage to both users as well as the social media giant’s reputation in general.

This isn’t the first time when Darabi has received a reward from Facebook. Previously, in 2015, the company awarded him $15,000 bug bounty for avoiding the system of protection against cross-site request forgery (CSRF). And in 2016, he earned another $ 7,500 dollars for finding a similar issue.

For advertising or any inquiry: [email protected] AllTechBuzz.net is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.